some more .39 patches

4 files changed, 200 insertions, 0 deletions

diff --git a/review-2.6.39/alpha-fix-several-security-issues.patch b/review-2.6.39/alpha-fix-several-security-issues.patch
new file mode 100644
index 0000000000..5c07342364
--- /dev/null
+++ b/review-2.6.39/alpha-fix-several-security-issues.patch
@@ -0,0 +1,91 @@
+From 21c5977a836e399fc710ff2c5367845ed5c2527f Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Wed, 15 Jun 2011 15:09:01 -0700
+Subject: alpha: fix several security issues
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream.
+
+Fix several security issues in Alpha-specific syscalls.  Untested, but
+mostly trivial.
+
+1. Signedness issue in osf_getdomainname allows copying out-of-bounds
+kernel memory to userland.
+
+2. Signedness issue in osf_sysinfo allows copying large amounts of
+kernel memory to userland.
+
+3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
+size, allowing copying large amounts of kernel memory to userland.
+
+4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
+privilege escalation via writing return value of sys_wait4 to kernel
+memory.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/alpha/kernel/osf_sys.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -409,7 +409,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
+ 		return -EFAULT;
+ 
+ 	len = namelen;
+-	if (namelen > 32)
++	if (len > 32)
+ 		len = 32;
+ 
+ 	down_read(&uts_sem);
+@@ -594,7 +594,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ 	down_read(&uts_sem);
+ 	res = sysinfo_table[offset];
+ 	len = strlen(res)+1;
+-	if (len > count)
++	if ((unsigned long)len > (unsigned long)count)
+ 		len = count;
+ 	if (copy_to_user(buf, res, len))
+ 		err = -EFAULT;
+@@ -649,7 +649,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
+ 		return 1;
+ 
+ 	case GSI_GET_HWRPB:
+-		if (nbytes < sizeof(*hwrpb))
++		if (nbytes > sizeof(*hwrpb))
+ 			return -EINVAL;
+ 		if (copy_to_user(buffer, hwrpb, nbytes) != 0)
+ 			return -EFAULT;
+@@ -1008,6 +1008,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ {
+ 	struct rusage r;
+ 	long ret, err;
++	unsigned int status = 0;
+ 	mm_segment_t old_fs;
+ 
+ 	if (!ur)
+@@ -1016,13 +1017,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
+ 	old_fs = get_fs();
+ 		
+ 	set_fs (KERNEL_DS);
+-	ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
++	ret = sys_wait4(pid, (unsigned int __user *) &status, options,
++			(struct rusage __user *) &r);
+ 	set_fs (old_fs);
+ 
+ 	if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
+ 		return -EFAULT;
+ 
+ 	err = 0;
++	err |= put_user(status, ustatus);
+ 	err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
+ 	err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
+ 	err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
diff --git a/review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch b/review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch
new file mode 100644
index 0000000000..016baf5784
--- /dev/null
+++ b/review-2.6.39/oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch
@@ -0,0 +1,50 @@
+From c027a474a68065391c8773f6e83ed5412657e369 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Sat, 30 Jul 2011 16:35:02 +0200
+Subject: oom: task->mm == NULL doesn't mean the memory was freed
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit c027a474a68065391c8773f6e83ed5412657e369 upstream.
+
+exit_mm() sets ->mm == NULL then it does mmput()->exit_mmap() which
+frees the memory.
+
+However select_bad_process() checks ->mm != NULL before TIF_MEMDIE,
+so it continues to kill other tasks even if we have the oom-killed
+task freeing its memory.
+
+Change select_bad_process() to check ->mm after TIF_MEMDIE, but skip
+the tasks which have already passed exit_notify() to ensure a zombie
+with TIF_MEMDIE set can't block oom-killer. Alternatively we could
+probably clear TIF_MEMDIE after exit_mmap().
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ mm/oom_kill.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -285,7 +285,7 @@ static struct task_struct *select_bad_pr
+ 	do_each_thread(g, p) {
+ 		unsigned int points;
+ 
+-		if (!p->mm)
++		if (p->exit_state)
+ 			continue;
+ 		if (oom_unkillable_task(p, mem, nodemask))
+ 			continue;
+@@ -301,6 +301,8 @@ static struct task_struct *select_bad_pr
+ 		 */
+ 		if (test_tsk_thread_flag(p, TIF_MEMDIE))
+ 			return ERR_PTR(-1UL);
++		if (!p->mm)
++			continue;
+ 
+ 		if (p->flags & PF_EXITING) {
+ 			/*
diff --git a/review-2.6.39/proc-restrict-access-to-proc-pid-io.patch b/review-2.6.39/proc-restrict-access-to-proc-pid-io.patch
new file mode 100644
index 0000000000..6e8dedfb18
--- /dev/null
+++ b/review-2.6.39/proc-restrict-access-to-proc-pid-io.patch
@@ -0,0 +1,56 @@
+From 1d1221f375c94ef961ba8574ac4f85c8870ddd51 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segoon@openwall.com>
+Date: Fri, 24 Jun 2011 16:08:38 +0400
+Subject: proc: restrict access to /proc/PID/io
+
+From: Vasiliy Kulikov <segoon@openwall.com>
+
+commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream.
+
+/proc/PID/io may be used for gathering private information.  E.g.  for
+openssh and vsftpd daemons wchars/rchars may be used to learn the
+precise password length.  Restrict it to processes being able to ptrace
+the target process.
+
+ptrace_may_access() is needed to prevent keeping open file descriptor of
+"io" file, executing setuid binary and gathering io information of the
+setuid'ed process.
+
+Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/base.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2762,6 +2762,9 @@ static int do_io_accounting(struct task_
+ 	struct task_io_accounting acct = task->ioac;
+ 	unsigned long flags;
+ 
++	if (!ptrace_may_access(task, PTRACE_MODE_READ))
++		return -EACCES;
++
+ 	if (whole && lock_task_sighand(task, &flags)) {
+ 		struct task_struct *t = task;
+ 
+@@ -2892,7 +2895,7 @@ static const struct pid_entry tgid_base_
+ 	REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+-	INF("io",	S_IRUGO, proc_tgid_io_accounting),
++	INF("io",	S_IRUSR, proc_tgid_io_accounting),
+ #endif
+ };
+ 
+@@ -3230,7 +3233,7 @@ static const struct pid_entry tid_base_s
+ 	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
+ #endif
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+-	INF("io",	S_IRUGO, proc_tid_io_accounting),
++	INF("io",	S_IRUSR, proc_tid_io_accounting),
+ #endif
+ };
+ 
diff --git a/review-2.6.39/series b/review-2.6.39/series
index 6bb4232b19..8534859818 100644
--- a/review-2.6.39/series
+++ b/review-2.6.39/series
@@ -69,3 +69,6 @@ cifs-lower-default-and-max-wsize-to-what-2.6.39-can-handle.patch
 bridge-send-proper-message_age-in-config-bpdu.patch
 gro-only-reset-frag0-when-skb-can-be-pulled.patch
 fs-cache-fix-__fscache_uncache_all_inode_pages-s-outer.patch
+oom-task-mm-null-doesn-t-mean-the-memory-was-freed.patch
+proc-restrict-access-to-proc-pid-io.patch
+alpha-fix-several-security-issues.patch